378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

资料_install (1).exe
Size

1.5MB
MD5

85df64b647baf466f4621d1be7d005e1
SHA1

c090110069d644c54c8508e8e65ddcfae25949fc
SHA256

5ffe8edc15b6cb41122f6cc2550621e81776bc6914ea6388aecd17eec073aea4
SHA512

52f7676cd7cfd91eda286dabc13139272ac8e809c70ac80c11139193659b5f28ae75876b12845a9cc60215529d780d466c36d4e2722344b7fce870454fd15b26
SSDEEP

49152:tEBdH3KQaSIE1vlbkOAZOEzRT9IynYMHK3zT27yEbYp:mBpPZIUvlkpRCyd2zwylp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2168	资料_install (1).tmp
3056	资料_install (1).tmp
2712	lPix.exe
2804	lPix.tmp
2592	lPix.exe
1972	lPix.tmp

Loads dropped DLL 18 IoCs

pid	Process
596	资料_install (1).exe
2168	资料_install (1).tmp
2168	资料_install (1).tmp
2060	资料_install (1).exe
3056	资料_install (1).tmp
3056	资料_install (1).tmp
3040	cmd.exe
2712	lPix.exe
2804	lPix.tmp
2804	lPix.tmp
2368	cmd.exe
2592	lPix.exe
1972	lPix.tmp
1972	lPix.tmp
1972	lPix.tmp
1972	lPix.tmp
1708	regsvr32.exe
2760	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2496	timeout.exe
2140	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3056	资料_install (1).tmp
3056	资料_install (1).tmp
1972	lPix.tmp
1972	lPix.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3056	资料_install (1).tmp
1972	lPix.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 596 wrote to memory of 2168	596	资料_install (1).exe	30
PID 2168 wrote to memory of 1492	2168	资料_install (1).tmp	31
PID 2168 wrote to memory of 1492	2168	资料_install (1).tmp	31
PID 2168 wrote to memory of 1492	2168	资料_install (1).tmp	31
PID 2168 wrote to memory of 1492	2168	资料_install (1).tmp	31
PID 1492 wrote to memory of 2496	1492	cmd.exe	33
PID 1492 wrote to memory of 2496	1492	cmd.exe	33
PID 1492 wrote to memory of 2496	1492	cmd.exe	33
PID 1492 wrote to memory of 2496	1492	cmd.exe	33
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 1492 wrote to memory of 2060	1492	cmd.exe	34
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 2060 wrote to memory of 3056	2060	资料_install (1).exe	35
PID 3056 wrote to memory of 3040	3056	资料_install (1).tmp	36
PID 3056 wrote to memory of 3040	3056	资料_install (1).tmp	36
PID 3056 wrote to memory of 3040	3056	资料_install (1).tmp	36
PID 3056 wrote to memory of 3040	3056	资料_install (1).tmp	36
PID 3056 wrote to memory of 2216	3056	资料_install (1).tmp	37
PID 3056 wrote to memory of 2216	3056	资料_install (1).tmp	37
PID 3056 wrote to memory of 2216	3056	资料_install (1).tmp	37
PID 3056 wrote to memory of 2216	3056	资料_install (1).tmp	37
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2712 wrote to memory of 2804	2712	lPix.exe	41
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2216 wrote to memory of 2704	2216	cmd.exe	42
PID 2804 wrote to memory of 2368	2804	lPix.tmp	43
PID 2804 wrote to memory of 2368	2804	lPix.tmp	43
PID 2804 wrote to memory of 2368	2804	lPix.tmp	43
PID 2804 wrote to memory of 2368	2804	lPix.tmp	43

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Local\Temp\is-SREFB.tmp\资料_install (1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SREFB.tmp\资料_install (1).tmp" /SL5="$3012A,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
      "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\is-25OBP.tmp\资料_install (1).tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-25OBP.tmp\资料_install (1).tmp" /SL5="$301DC,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Public\Documents\lPix.exe
        
        C:\Users\Public\Documents\lPix.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\is-LEAD2.tmp\lPix.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LEAD2.tmp\lPix.tmp" /SL5="$40226,544961,235520,C:\Users\Public\Documents\lPix.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 3
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2140
        
        C:\Users\Public\Documents\lPix.exe
        
        "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\is-OLDUQ.tmp\lPix.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OLDUQ.tmp\lPix.tmp" /SL5="$5012A,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1972
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
        13⤵
        Loads dropped DLL
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        7⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\unins000.dat

Filesize
3KB

MD5
aca6d724fe968ccd73293fd53a145d0f

SHA1
0be5918e18eda8aef132cb33df7d1c902aff2fb5

SHA256
f944e328fb2df21ca5b8c9ad2fa3d2c7087a5caaaddfc305e2fc7eb870a6c83e

SHA512
e761e913ef51698ea89811456c703ac784657774bae372faa41bb73d6271d4172155a43f881b101477f29784b0718b6215c4e6770a225b0d85d9e2bd19ad4ab7

Download Submit
C:\Users\Admin\AppData\Local\unins000.exe

Filesize
1.2MB

MD5
7d32e1d324403f5baf3443502f6732b9

SHA1
583a56865861c01413abda1daa132b577920504c

SHA256
4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313

SHA512
8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

Filesize
722KB

MD5
385e36fd28d88b4fe7051de59bcd616c

SHA1
0c6bac3bda42f8dedfba7559d092da5baaac81b4

SHA256
f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0

SHA512
5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f

Download Submit
C:\Users\Public\Documents\LDcA.xls

Filesize
18KB

MD5
d1ff725260128c439f9bce6f7a26f5ec

SHA1
a22f5c06fd34b59daa1475789f659e324368a76f

SHA256
dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d

SHA512
41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c

Download Submit
\Users\Admin\AppData\Local\Temp\is-56D2C.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LEAD2.tmp\lPix.tmp

Filesize
1.2MB

MD5
bef5bad133138ce27f0c6e73d5a2e5f9

SHA1
1cfc9e170e100fc23073cdfcf590594e18598314

SHA256
55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65

SHA512
f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

Download Submit
\Users\Admin\AppData\Local\Temp\is-SREFB.tmp\资料_install (1).tmp

Filesize
1.2MB

MD5
cf45d17c6928f460e9c66d8efd61d15f

SHA1
04f45e51c5ee587ac54084e051837cc4688f3fea

SHA256
a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b

SHA512
178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596

Download Submit
\Users\Public\Documents\lPix.exe

Filesize
985KB

MD5
8cb4b8edf79a9edaf533920c9a4d2757

SHA1
8d5b6701db176148d9bbe8cc97338798c518201c

SHA256
c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2

SHA512
82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0

Download Submit
memory/596-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/596-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/596-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-109-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2060-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2168-41-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-8-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2592-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2712-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-111-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3056-38-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download